Extraordinary HBOS security lapse left customer bank accounts open to hacking – experts comment

One of the UK’s largest banks is being investigated over an extraordinary security lapse which left customers’ bank accounts open to hacking by fraudsters for up to two years. Halifax and Bank of Scotland (HBOS) has admitted criminals could easily access customers’ bank details and other personal information using only their name, date of birth and postal address. Armed with this basic information, fraudsters could go on to view account numbers, sort codes and credit card details as well as any payments made or received by their victim.

@DFMag received the following comment from Ryan Wilk, director at NuData Security;

“This breach exposed records including incredibly personal data such as a person’s bank account number, name, address, date of birth and so on. Data thieves sell this information to aggregators, who cross-reference and compile full identities – called “fullz” on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches. With this level of information, fraudsters can create new bank accounts or take out loans under an actual person’s name, causing problems for fraud victims for years down the road.

We’ve seen among our clients that account creation fraud attempts are on a sharp rise. Of the 500+ million account creations we analysed, more than 57% of them were flagged fraudulent and account creation fraud has risen over 100% since February of this year alone. That kind of long-term, big payout fraud can only happen with stolen customer PII.  

This underscores why it’s vital to switch from traditional and insecure KBA-based authentication – easily stolen, hard to replace – to user behavioral analytics (UBA) and passive biometrics. Harness the power of behavioral attributes to authenticate users in ways that are less intrusive yet more secure. We learn how a legitimate users act and get a front row seat to watch thieves try and fail to game the system with their stolen data. Becoming complacent in an age of massive data breaches is both a financial and reputational hazard”.

Mark Bower, global enterprise director at HP Data Security commented further;

“This hack underscores the need for companies to protect all of the sensitive information they hold on their customers – particularly fields like in this scenario that should not have been accessible in the clear so easily.  Criminals are always looking for a way to exploit a system in a way that they can then monetize in various ways.  In this case there is a further risk in that personal information about the user such as their name, account information and so on.  Criminals could then use this information or sell it on for use in more targeted larger-scale spear-phishing or potential identity theft attacks, especially when combined with other identity information available for that consumer online or from other data thefts.  Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line.  A data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.

With the available technologies today to protect sensitive data fields in applications very easily and quickly, it’s a simple matter to cover all sensitive data to protect consumer trust and satisfaction. Securing sensitive personal data, which is commonly attacked to conduct fraud and irritating phone scams and phishing attacks at the expense and inconvenience of the British consumer, is a duty of every UK business today and not optional – and indeed a compliance requirement to the UK ICO privacy regulator”